Virus scan on server, stats somefiles are infected

Rhino13 · August 31, 2021, 12:45pm

ATTENTION!
Version 1.5.11, did a virus scan and it picks up some files if IP to be malicious files

./vendor/mpdf/mpdf/src/Barcode/Code128.php line 202:
./vendor/symfony/http-foundation/Request.php line 1123:

./vendor/mpdf/mpdf/src/Barcode/Code128.php line 202: looks like this

// add start, check and stop codes
		$code = chr($startid) . $code . chr($check) . chr(106) . chr(107);

message with the scan looks like this : PHP105 unnecessary chr call : odes $code = chr($startid) . $code . chr($check) . chr(106) . chr(107); $bararray = [‘code’ => $code, ‘maxw’ => 0, ’

./vendor/symfony/http-foundation/Request.php line 1123:: looks like this

$sourceDirs = explode('/', isset($basePath[0]) && '/' === $basePath[0] ? substr($basePath, 1) : $basePath);
        $targetDirs = explode('/', substr($path, 1));
        array_pop($sourceDirs);
        $targetFile = array_pop($targetDirs);

message with the scan looks like this: BDS003 phpshell: Split directory into parts for browser : Dirs = explode(’/’, substr($path, 1)); array_pop($sourceDirs); $targetFile = array_pop($targetDirs);

M4rt1n · September 2, 2021, 11:48am

In reply to your report:

1. Virus

1.1. As this (as you can see from the path) refers to “mpdf” this first is a thirth party code which is not getting maintained by IncoicePlane.
1.2. This refers to this FILE & LINES (link to GitHub) and shows that these lines has been added in the very first commit of this file back in 2017.
1.3. What does these functions do? Well here the resolution:

chr(106) = "j"
chr(107) = "k"

Proof:

<?php
echo "chr(106) = '" . chr(106) . "'\n";
echo "chr(107) = '" . chr(107) . "'\n";
?>

Execute this code here: https://sandbox.onlinephpfunctions.com/
Or follow this Link here: PHP Sandbox - Execute PHP code online through your browser
With what ever PHP Version you like.

Why these are added please ask at mpdf.

2. Virus

2.1. this (as you can see from the path) refers to “symfony” this first is a thirth party code which is not getting maintained by IncoicePlane.
2.2. This refers to this FILE & LINES (link to GitHub) and is still part of Symfonys latest version.
2.3. what your “virus programm” has detected is a function that splitts the path. How shall this be a virus or bad in any way. It like a policeman reports you for “walking”. There is nothing wrong with walking… very normal

Corret, this is a very common way to splitt the path to make it relative to the path from the rootdirectory

Also pls always report which Virus scanner you have used and try to understand the code, as also the report from the virus scanner yourself.

Rhino13 · September 3, 2021, 7:07am

thank you for the feedback, I got the scan from the server admin and only the results. will follow up with them. thank you once again